The ICO has reprimanded two Northern Irish organisations for disclosing people’s information inappropriately via email. The Patient and Client Council (PCC) and the Executive Office (EO) disclosed recipient details by using inappropriate group email options.

The PCC had sent an email to 15 people across Northern Ireland, each of whom had lived experience of gender dysphoria, using the carbon copy (cc) option. Although the body of the email did not contain personal information, the people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email. This could have been information the recipients would not wish to be shared with people unknown to them.

The EO’s Interim Advocate’s Office, established following the report of the Historical Institutional Abuse (HIA) Inquiry, sent an e-newsletter to 251 subscribers using the ‘to’ field. Although only email addresses were disclosed, it can be inferred that the people included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging, with the HIA Inquiry compensation scheme.

  • The organisations should have found an appropriate alternative such as mail merge.
  • Even if the content of an email is not sensitive or confidential, identifying people who have received it could reveal sensitive or confidential information about them, which may be very distressing and potentially harmful to the people affected.
  • Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately disclosed to others.

For further discussion and support, including data protection awareness training services please email dpa@tiaa.co.uk